The Gambling Industry Faces Up to GDPR

On Friday, May 25, just five weeks away, GDPR will come into force. The initials stand for the General Data Protection Regulation, which will impact everyone in the European Union and companies outside the EU who deal with EU citizens.

We wrote last week about the stance the UK Gambling Commission is taking on GDPR. In that article, we outlined the basic details of GDPR. In this second article, we look in more detail at the position of the gambling industry as May 25 approaches and outline what GDPR could mean for consumers.

Please note that this article was written in the UK. GDPR will remain UK law after Brexit and will therefore continue to affect UK companies and consumers. It will not affect consumers outside the EU but will affect companies dealing with EU citizens. GDPR will be enforced by heavy fines and there is little doubt, as the EU showed when it fined Google $2.7bn in an anti-trust case, that it will be eager to make an example of a high-profile company operating outside the EU.

“The right to be forgotten”

When GDPR comes into force we, as customers and consumers, will have to explicitly give our consent for our data to be captured and used, but the GDPR regulations also make it clear that this consent can be withdrawn and revoked at any time. We can exercise “our right to be forgotten.”

Broadly speaking, we can ask an organization to remove or delete our data when they have no compelling reason to hold it. For example, if I move my gas and electricity from supplier A to supplier B, then supplier A has no need to hold on to my details – name, address, payment history and so on – and I can ask for it to be deleted.

In these cases, the business concerned must “take all reasonable steps” to comply with my request and must do so “without undue delay,” which is generally held to be within a month unless specific circumstances make that impossible. If the company has shared my data with other companies – one of the so-called “trusted partners” we all tick the box to avoid – then it must also notify those companies of my request.

How can gambling companies cope?

“With difficulty” is the short answer. As we wrote a week ago, the UKGC is taking a very firm line, demanding that operators meet both the regulator’s own requirements and those of GDPR. At the same time, it is demanding that gambling companies should retain customers’ data for five years after the relationship ends, “where the data in any way relates to regulatory compliance.”

Quite how the operators will square this circle is open to question. If I were a money-launderer, I would be looking forward to my “right to be forgotten.” Place a series of bets with a bookmaker, get paid out, close the account and move my freshly laundered money somewhere else, not forgetting to write to the bookie, citing GDPR and asking that they kindly delete all my records. No wonder the UKGC is taking a firm stance.

The administrative problem

GDPR will unquestionably concentrate people’s minds on their data and what it is being used for. I suspect that what will happen after May 25 is that companies will be inundated with requests to remove data. People will also be much more aware that they can withhold data and will decide to do so.

Gambling operators may well find themselves fielding heavy numbers of demands to be forgotten. This is going to place an administrative burden on them. In addition, they may need to decide who wants to be forgotten because they are tidying up their online footprint, and who wants to be forgotten for rather more sinister reasons.

The alternative view

There are some sections of the gambling industry that see GDPR as an opportunity, not a problem. Specifically, the chance it offers customers to control the sort of marketing messages they receive could allow operators to offer a much more tailored approach to their customers.

To give a simple example, I am regularly bombarded with offers for “in-play” betting on football matches. Other than backing the 0-0 draw on Betfair when a football match is boring me senseless, I have never placed an “in-play” bet.

The theory is that, if I can opt out of this type of marketing, and receive only marketing that is specific to my interests, then I will have a better relationship with a particular operator.

Yes, there is unquestionably a chance for operators to use the demands of GDPR to try gaining a competitive advantage, but the question is: Will their customers respond? I suspect that, with data breaches at the back of their minds and the words “right to be forgotten” all around them, far too many customers will simply check the box that says, “Unsubscribe from all messages.”

If the operators really want to retain clients and build a closer relationship with them after May 25, there might be more fundamental forces at work. The soon-to-be-managerless Arsenal plays West Ham on Sunday. Could that be a chance for the Hammers to move further away from relegation? Bet365 can send me all the marketing messages they want, but as I write they’re only offering 5/1 on David Moyes’ team. Marathon Bet will offer me 53/10 – and that will always be the most powerful marketing message of them all.